NOCC: cross-site-scripting bug
I have just been forwarded this issue from bugtrack, it's a package I
I got in touch with upstream, and they will keep me updated on this.
I will upload as soon as there's a fix.
Is there anything else (Debian-security related) I should do appart form
trying to help upstream fix this?
-----BEGIN PGP SIGNED MESSAGE-----
ppp-design found the following cross-site-scripting bug in NOCC:
Affected Version: 0.9.5 and maybe all versions before
Immune Version: none, authors are working on it
OS affected: all OS with php and mysql
Vendor-Status: informed, working on a new version
NOCC is a webmail client written in PHP. It provides webmail access to
IMAP and POP3 accounts. Unfortunatly the software displays a message
without checking for any malicous code.
A mail (even a text mail) is rendered as html. So a possible blackhat
can include any malicous code in an email and get full access to any
Just write an email to any NOCC user with the following text inside:
When the user is reading his mail a popup will come up showing his
session id. Of course there are many other possibilities to make use of
possiblilities to enter malicious code, this will only stop this
proof-of-concept from working.
None at the moment, but the authors are allready working on a new version.
Because the software is widly spreaded according to their website, and
any blackhat can easily get full access to any emailaccount that is
managed using NOCC, we are rating the securtiy risk to high.
We have informed the core developers, who reacted fastly and in a
recommedable way. They entered the bug to their bugzilla system. So
there is no need for us to wait with this publication, allthough there
is no fix ready until now.
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.
This advisory can be found online at:
Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org
-----END PGP SIGNATURE-----
.''`. Todo gira, todo vuelve, todo es mentira...
: :' :
`. `' Proudly running Debian GNU/Linux Sid (Kernel 2.4.18)
`- www.amayita.com www.malapecora.com www.chicasduras.com
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com